Policy-Based VPN

With a Policy-Based VPN, you need to specify manually on both
sides of the VPN which subnets will be exposed from site A to site B and from
site B to site A.

On a standard Cisco router/firewall, you have to create an
access-list (ACL) and specify in the ACL the subnets you are going to learn and
advertise to the other side. This is used in the ‘crypto-map‘
section of the VPN configuration.

Everytime a new subnet is created (such as 10.3.20.0/24 on the VMC
SDDC side), you would then need to update the VPN configuration, which is
obviously not ideal.

Policy-Based VPN

In the case
of VMware Cloud on AWS, it means that everytime a new logical network is
created, we then have to update the VPN configuration across all VPNs and across
all remote sites in order for that new subnet to be able to communicate with
all the remote sites.

Policy-Based VPN – Manual Updates

You would need to update the VPN configuration on the VPN on-premises and on the VMware Cloud on AWS side.